Main Nav

We looked long and hard at pfSense to use as a NATing gateway, but as good as the product is, it's logging features are (were?) pretty awful. I can't speak to what it logs as a router, but if this is important to you, you may want to verify it meets your needs. -Brian H.

Comments

On Wed, Mar 06, 2013 at 02:05:33PM +0000, Brian Helman wrote: > We looked long and hard at pfSense to use as a NATing gateway, but as > good as the product is, it's logging features are (were?) pretty > awful. I can't speak to what it logs as a router, but if this is > important to you, you may want to verify it meets your needs. This was part of why we went vanilla FreeBSD instead of pfSense. OpenBSD's tcpdump has out-of-the-box support for the pfSync device (additions, subtractions and modifications to the firewall tables to share state between multiple firewalls). The original author of pf, Daniel Hartmeier, has a patch for the tcpdump in FreeBSD 8.x that adds pfsync support. That makes it trivial to run something like tcpdump -i pfsync0 'ether[2]!=2' >> /tmp/nat_logs 2>&1 & Every hour we parse the log (go go perl) for inserts and removals. THAT script has been written, rewritten and edited heavily to reduce run-time and to take advantage of cheap storage but expensive CPU cycles. If we have to replace one I do a vanilla install, grab my handy dandy deploy script and it copies any necessary scripts or patches, patches tcpdump, sets the config for pf, etc. Overall time to replace one of our NAT firewalls, once it's actually racked, is under half an hour -- and that includes the five to ten minutes to do the OS installation. kmw ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
We use the pfflowd package for pfSense to provide logging. We send the data to an installation of NFSEN (nfsen.sourceforge.net) to view and graph the flow data. My understanding is that the pfflowd package simply translates the pfsync device's output into netflow packets and allows you to direct them to any NetFlow collector. ________________________________ Ian Bergeron Administrator of Networked Systems MCLA Computer Support Services Office:(413)662-5394 - Cell:(413)663-0957 Ian.Bergeron@mcla.edu The EDUCAUSE Network Management Constituent Group Listserv writes: >We looked long and hard at pfSense to use as a NATing gateway, but as >good as the product is, it's logging features are (were?) pretty awful. >I can't speak to what it logs as a router, but if this is important to >you, you may want to verify it meets your needs. > >-Brian H. > >